All Products
Document Center

Web Application Firewall:Overview of log management

Last Updated:Oct 12, 2023

Web Application Firewall (WAF) is integrated with Simple Log Service to provide the Simple Log Service for WAF feature. The feature collects and stores access logs and protection logs of protected objects in WAF. The protected objects can be domain names and cloud service instances. You can use the feature to query and analyze log data, configure charts and alert rules, and deliver log data to downstream services. The feature allows you to focus more on log analysis.

Intended users

  • Large-scale enterprises and organizations that have log storage requirements, such as financial entities and public service sectors. The logs include host, network, and security logs of various cloud assets.
  • Organizations that have security operations centers (SOCs) and want to collect and manage security and alert logs in a centralized manner, such as public service sectors and large-scale companies in the real estate, e-commerce, and finance industries.
  • Enterprises that have advanced technologies and require in-depth log analysis and automated alert handling, such as companies in the IT, gaming, and finance industries.
  • All users who need to trace business security events and generate weekly, monthly, and yearly reports, or users who need to meet classified protection requirements (MLPS level 3 or higher).


  • Trace web attack logs back to the source of security threats.
  • View requests and query their status and trends.
  • Obtain information about the effect of security operations and handle exceptions in a timely manner.
  • Generate and deliver security network logs to user-managed data and computing centers.


  • Compliance audits: You can store website access logs for more than six months to meet classified protection requirements.
  • Flexible configuration:

    • You can collect and store web access and protection logs with a few steps.

    • You can configure log fields, the log type, and the protected objects whose logs you want to collect.

    • You can modify existing report templates or create custom report templates based on your business or security requirements. This way, you can understand the security status of your website workloads.

  • Real-time log analysis: WAF provides the real-time log analysis feature and an out-of-the-box (OOTB) report center and supports interactive data mining. This allows you to identify and analyze various attacks on your website and access details in real time.
  • Real-time alerting: You can customize monitoring and alert rules based on specific metrics. This way, you can respond to exceptions in critical services in a timely manner.
  • Collaboration: You can use this feature together with other data solutions such as real-time computing, cloud storage, and visualization to further explore the value of data.

Billing overview

  • Subscription

    You are charged based on the log storage capacity that you specify.

  • Pay-as-you-go

    The fees for the Simple Log Service for WAF feature are included only in the bills of Simple Log Service. For information about the billing rules of the Simple Log Service for WAF feature, see Pay-by-feature.

    By default, the Simple Log Service for WAF feature is disabled. To use the Simple Log Service for WAF feature, you must enable the feature. For more information, see Enable or disable the Simple Log Service for WAF feature.




Log configuration

After you enable the Simple Log Service for WAF feature, you can enable log collection for protected objects. WAF can collect and store the logs of a protected object only after you enable log collection for the protected object. For information about the fields that are included in WAF logs, see Fields in logs. For information about how to enable log collection for a protected object, see Configure log settings and manage log storage capacity.

You can modify log settings, such as the fields that are included in logs and the type of logs that you want to store. The log types are Full Log and Block Log. For more information, see Configure log settings and manage log storage capacity.

Log query

You can use query statements to query and analyze collected logs. For more information, see Query logs.

You can create alert rules based on query statements. After you create an alert rule, Simple Log Service regularly checks query and analysis results. If the query and analysis results meet a trigger condition that you specify in the alert rule, Simple Log Service sends an alert notification. This allows you to monitor the service status in real time. For more information, see Configure an alert monitoring rule in Simple Log Service.